Federal Agencies Are Going Multi-Cloud. The Reasoning and the Watchouts
The federal government has steadily advocated for its agencies to adopt cloud computing over the past decade. Today, quite often, that means supporting a multi-cloud environment that provides flexibility and cost efficiency.
From Cloud First to Multi-Cloud
Ten years ago, the OMB released its “Cloud First” strategy as part of the federal IT modernization effort, which granted agencies broad authority to adopt cloud-based solutions but did not provide specific guidance on how to do so. Three years ago, the OMB released a new strategy called “Cloud Smart” that included practical implementation guidance based on information and recommendations from public and private case studies, focusing on three key pillars of successful cloud adoption: security, procurement, and workforce skills.
As the private sector’s cloud adoption accelerated in 2020 due to the COVID-19 global pandemic, federal agencies spent a new record high of $7.7B on cloud computing in fiscal 2020. One area particularly attractive to federal agencies is speeding up the turnaround time for an Authority to Operate (ATO). ATOs traditionally can take six months or longer for approval, but by using cloud services and security control inheritance, the National Geospatial-Intelligence Agency reduced that time to within seven days.
Yet the unique security, budgetary, and procurement requirements of the federal government mean that successfully implementing multi-cloud and unlocking its value require more beyond just a shift to multi-cloud. Agencies must implement management and governance processes that provide full visibility into cloud usage and automation that delivers the efficiency, security, and compliance they seek.
Last year, a report by MeriTalk, “Juggling the Clouds: What Are Agencies Learning,” found that 81% of federal IT decision makers surveyed said their agency already uses multiple cloud platforms. The Department of Defense’s contested Joint Enterprise Defense Infrastructure (JEDI) cloud contract now has the Pentagon looking to multi-cloud as a potential solution to the current impasse — a similar approach the Central Intelligence Agency used when recently awarding the C2E contract to Amazon, Microsoft, Google, Oracle, and IBM in November.
Multi-Cloud Benefits and Watchouts
The benefits of avoiding vendor lock-in, better budgeting to realize cost efficiencies, and ability to tap into each provider’s unique solutions — for instance, Google’s prowess in analytics — and tailor an infrastructure that meets an agency’s specific needs are all reasons why multi-cloud is attractive to federal agencies. A solid multi-cloud foundation creates the ability for each program within an agency to tap into the cloud services most useful to them to unlock rapid innovation and accelerate the launch of new applications.
Yet nearly half of those surveyed by MeriTalk said that their agency is not adequately preparing for their multi-cloud future, and three out of four said that managing a multi-cloud environment will be one of their top challenges over the next five years.
Visibility and controlling spend in a single cloud provider is challenging enough. Multi-cloud environments make it much that much more challenging, as agencies need to find solutions that provide centralized visibility and controls across multiple clouds. Agencies are responsible for cost and security, like any private enterprise, but federal agencies must also comply with the Antideficiency Act, which levies penalties for spending beyond appropriations or funds allocated to each agency.
Cloud security regimes are evolving as well. The Federal Risk and Authorization Management Program (FedRAMP) released its High Baseline Requirements in 2016, which are becoming the standard for cloud programs that use personal health information or DoD-controlled unclassified information. While 80% of federal information is categorized at low and moderate impact levels, that only represents about half of federal IT spend. The high impact requirements opened the door for the remaining 50% to potentially move to the cloud securely.
At the Pentagon, the Cybersecurity Maturity Model Certification (CMMC) released in January 2020 impacts all suppliers of IT and cloud services to the Pentagon. Each of these changes means government agencies and contractors will need to enhance their security and compliance practices to support around a hundred or more additional security controls.
The DoD must also grapple with higher classification environments alongside its low-side access. Using different, sometimes highly manual processes to control access in higher classification air-gapped regions than what is used in unclassified cloud environments is the norm today. This typically leads to confusion for end users and can dampen productivity due to the complexity of a multi-cloud environment with different levels of security, identity, and access across these approval processes.
Unlock Multi-Cloud Success with Governance
Cloud providers do provide some management and governance solutions, but since they are competitors, agencies won’t find a comprehensive solution that works across all leading providers. That’s why achieving the full value and benefits of a multi-cloud environment — avoiding vendor lock-in, better cost controls, and utilizing each provider’s best-in-class solutions — isn’t an out-of-the-box solution from a provider. And without automation for areas like account provisioning, budget enforcement, and regulatory compliance, the same time-consuming manual processes that exist today will continue.
A multi-cloud approach offers tremendous benefits to federal agencies, but makes it more important than ever to start with a governance plan and approach that provides the full visibility, automation, and management needed to unlock its value.
At cloudtamer.io, we specialize in helping the DoD and other government agencies achieve multi-cloud governance. I'd love to have an opportunity to discuss your challenges and how we can help - reach out to us!
About the author: Tim is the director of cloudtamer.io's federal division.